This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Dashboards and filters

Why does Ceridian Dayforce show as "Pending" in Secureframe after it's been connected in the Finch dashboard?

• Even if the connection is marked as complete in the Finch dashboard, you may still see the integration status as "Pending" in the Secureframe platform. This is a common scenario and typically means the data sync hasn’t yet been triggered on our end.

  How can I resolve the “Pending” status?
  If the Finch connection was created over 20 days ago, our internal teams may need to manually trigger a sync to complete the connection process.

  Once the sync completes, the connection status should update from "Pending" to "Connected."

Notifications and SLAs

Can reminder templates be edited?

• At this time, email reminder templates cannot be edits, but we are currently working on a Custom Notification feature which will be fully customizable.

Do email notifications go out in real time or periodically on a schedule and can they adjust that schedule to weekly for example?

• Notifications go out on a set schedule and can be customized to be sent weekly or as needed.

How can I disable notifications altogether?

• You can disable reminders for personnel tasks by setting the notification frequency to "None". There are two ways to do this:

  As an Admin:
  Go to Personnel → Settings (gear icon) → Email Notification tab and set the frequency to None. This will stop reminders for all users unless they override it individually.

  As a User:
  Go to your avatar → My Settings → Notifications tab, and under Personnel Task Notification Frequency, choose None. This will stop reminders for just your account.

  Note: This only applies to Secureframe-generated personnel tasks (e.g., onboarding, training, policy acknowledgment). Other task types like Control or Test Failure notifications must be set by the individual user.

If a group is removed from the automatic invite in the onboarding section, will users who were previously invited as part of that group continue to receive reminder emails?

• Correct. If you remove a group from the automatic invites, they will also stop receiving email notifications via email.

Notification of lifted data processing restrictions. What do you mean by lifted data processing? What kind of evidence do you need?

• Lifting data processing restrictions may occur when data accuracy is contested, processing is unlawful, or the controller no longer needs the data but the data subject does for legal claims. If processing is lifted, the controller must notify the data subject. Evidence may not be needed if no restrictions have been lifted.

Why is an admin user not receiving audit email notifications in Secureframe?

• Audit email notifications are only sent to users who meet all of the following criteria:

  Active status: The user must be marked as active: true
  Employee type: Must be set to employee or contractor
  Access role: Must be Admin or Super Admin

  Non-personnel accounts (such as shared mailboxes or service accounts) are not treated as active users in the system and will not receive these notifications. If an admin is not receiving audit emails, confirm that their personnel record meets all three criteria above.

Tasks and assignments

How can due dates be removed from tests?

• Currently, there is no option to completely remove a due date from tests in Secureframe.

  Since compliance requirements generally expect tests to be performed at least annually, we recommend setting the due date frequency to Annually as the best practice.

  We’ve submitted a feature request for an option to remove due dates entirely, and our team will provide updates if this functionality becomes available in the future.

How can I delete multiple tasks at once?

• Currently, the Task table does not include a bulk selection to ensure each task is appropriately reviewed.

What tasks should these reviews include?

• These reviews should include daily log reviews, configuration reviews for network security controls, applying configuration standards to new systems, responding to security alerts, and change-management processes.

Why aren't my employees receiving automated email notifications for their pending tasks?

• Automated email notifications for personnel tasks are only sent to employees who have a start date configured in their profile. If an employee doesn't have a start date set, they will not receive automated daily or weekly email reminders, even if their notification frequency is configured. This is intentional functionality to ensure notifications are only sent to active employees. To resolve this, verify that all employees who should receive automated notifications have a start date configured in their personnel profile. You can manually send task reminder emails to users without start dates using the "Remind" button, but they will not receive automated notifications until a start date is added to their profile.

Workspaces

Does a newly created Workspace automatically mirror the main tenant's IdP setup, or can it support a completely separate IdP connection? Does the "one connection per account" limit apply to the entire org or per Workspace?

• Each Workspace is its own instance and can have its own IdP connection. The "one connection per account" limit applies at the Workspace level, not across the entire org.

Does the parent org admin have access to all Workspaces?

• Yes — the parent/primary org admin has access to all child Workspaces, while each child Workspace only has access to its own instance.

Additional customer questions

How can I indicate a specific party as responsible within Secureframe?

• Secureframe allows you to assign ownership across several areas of the platform to clearly designate responsibility. You can assign an individual or team as the owner for items such as:

  Tests

  Controls

  Policies

  Tasks

  Access reviews

  Assets in the inventory

  Risks

  Vendors

  Questionnaires

  Knowledge Base articles

  To assign ownership, navigate to the relevant item, look for the "Owner" field (typically located in the details or settings section), and select the appropriate user or team from the dropdown. This helps ensure accountability and visibility across your compliance program.

For the cloud infrastructure asset ownership test, does the assigned owner need to be an individual, or can it be a team or group?

The owner must be an individual user in the Secureframe platform — a team, group, or role cannot be assigned. Each cloud asset's owner field is tied to a single person. If you need to quickly assign ownership across many assets, you can set a default owner under Asset Inventory → the ellipsis menu → Manage Default Owner for Cloud Resources, but it still needs to be one specific person.

What happens when I assign a question to another user?

This creates a task for the user, linking them to the specific questionnaire they were tagged to review. The tasks will appear on Secureframe’s dashboard.

Change management and post-change review

Does Secureframe support Change Request (CRQ) functionality?

Secureframe does not support CRQ functionality at this time. If you are looking for this ability or want to understand what Secureframe can currently support for your workflow, please reach out to your CSM for more guidance.

If we don't have Terraform/other for IAS, do you have any other suggestions for change management? Or can we just show only software change management?

Depends on their tech stack, but we also suggest using Ansible or Puppet for change management.

What does an organization need to meet compliance if they don't test or perform a post-change review for every change?

Amend the change management policy to define which changes require testing and post-change review, or begin testing and reviewing all changes.